Testing (security testing in particular) on internal tools should be incorporated into the QA process. A responsible software company shouldn't produce insecure software, regardless of whether this software is meant for internal use only.